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DETAILED ACTION 

1 . This written action is responding to the amendment dated on 01/26/2010 

2. Claims 50, 53-54, 56-57, and 65 have been amended. All other claims 
are previously presented. 

3. Claims 1, 4-6, 11, 32-34, 40-50, 53-54, 56-63, and 65 have been 
submitted for examination. 

4. Claims 1 , 4-6, 1 1 , 32-34, 40-50, 53-54, 56-63, and 65 are pending 

Response to Arguments 

5. Applicant's amendment, filed on Jan. 26, 2010, has claims 50, 53-54, 56- 
57, and 65 amended to overcome the 35 USC 101 rejection and all other 
claims as previously presented. 

6. Applicant's remark, filed on Jan. 26, 2010, argued that Baum's description 
of a rule based packet filter fails to teach or suggest that the filter 
determines whether a packet includes audio or video in classifying that 
packet, as recited in claim 1 . 

7. Applicant's remark has been fully considered, but found not persuasive 
based on the reasons below. 

Response to Argument: 

Examiner respectfully traverses Applicant's assertion that Baum's 
description of a rule based packet filter fails to teach or suggest that the 
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filter determines whether a packet includes audio or video in classifying 
that packet. Baum specifically teaches the claimed limitation regarding 
classifying the received data packet by having firewall mechanism 
(element 338), which acts as a rule based packet filter (see lines 61-62, 
Col. 5 from Baum) and filter that determines a packet includes audio or 
video content (see lines 41-43 and 55-59, Col. 2 and lines 20-22, Col. 7 
from Baum). That is, the classifying is performed by distinguishing 
whether the packet is data or voice (real-time audio stream) (see lines 20- 
22, Col. 7 from Baum). Therefore, contrary to Applicant's assertion, the 
teaching from Baum addresses the argued limitation regarding 
determining whether a packet includes audio or video in classifying that 
packet, and combination of Fink, Joyce, and Baum is proper such that the 
combination results the claimed features as recited in claim 1 . 

Rejections for claims 49, 50, and 62, which contain similar claimed 
features, are also maintained for at least the same rationale as stated 
above. Likewise, rejections to all other claims, which are dependent of the 
respective independent claims 1, 49-50, and 62, are maintained. 
Applicant is reminded that modification to clarify the limitations of 
independent claim is necessary for further consideration. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

8. Claims 1, 4-5, 11, 32-34, 40-50, 53, 56-63, and 65 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Fink et al. (U.S. Patent 
6,496,935) and further in view of Joyce (U.S. Patent 6,519,703) and Baum 
et al. (U.S. Patent 6,400,707). 
/'. Referring to Claims 1, 49, 50, and 62: 

As per Claim 1 , Fink et al. disclose an apparatus comprising: 
a firewall [(fig. 1)] configured to: 

receive data packets over a first network [Packets which are 
permitted to pass through gateway 15 from external network 
14 are then received by one of a plurality of protected nodes 
20 (lines 335-37, Col. 5)]; 

classify the received data packets based on the contents of the 
data packets into packets of a first type and second type 
[inspects the contents of such packet or packets (line 67, 
Col. 6). Pre-filtering module 30 also preferably features a 
classification engine 38, including a data processor, for at 
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least partially analyzing the information from the packet 
(lines 4-6, Col. 8)]; 

Fink et al. do not expressly disclose the remaining limitations of 
the claim. However, Joyce discloses packets which cannot 
contain virus and packets which can contain a virus and the virus 
scanning engine for testing if the packet contains virus [Prior to 
use, heuristic firewall 10B is trained to perform specific 
desired tasks. In this embodiment, for example, a first 
heuristic stage 36 is trained to recognize absolute high- 
confidence traffic, computer virus and Trojan signatures, 
denial-of-service attack signatures, and other computer 
security exploit signatures. After training and during use, if 
heuristic stage 36 clears a packet stream with a "high- 
confidence" rating (i.e., an analysis of the packets 22 by 
heuristic stage 36 results in a high level of confidence that 
the packet stream does not contain threats that heuristic 
stage 36 is trained to detect), buffer 24 releases the packets 
into a secured channel 38 directly into network 30. If 
heuristic stage 36 processing results in only a lesser 
confidence rating (i.e., a "good-confidence" rating) that 
threats are absent, buffer 24 releases the packets into a 
traditional firewall rule base 12 for standard processing. In 
this case, the output of traditional firewall rule base 12 is 
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buffer 28. If heuristic stage 36 determines that the packet 
stream is certainly corrupted or otherwise undesired or that 
threats are detected ("poor-confidence"), buffer 24 shunts 
the packets elsewhere, for example, either out of the firewall 
(e.g., to a "bit bucket" such as /dev/null, where they are 
discarded) or it shunts them elsewhere 26 for additional 
processing. If heuristic stage 36 is not certain as to the 
validity of the packets ("marginal-confidence"), buffer 24 
releases the packets into complex firewall rule base 14 for 
processing. The output of complex firewall rule base 24 is 
buffer 40 (lines 32-58, Col. 3)]; and forward the data packets of 
the first type to a destination without testing by a virus scanning 
engine and without transmission of the data packets to the virus 
scanning engine [rating (i.e., an analysis of the packets 22 by 
heuristic stage 36 results in a high level of confidence that 
the packet stream does not contain threats that heuristic 
stage 36 is trained to detect), buffer 24 releases the packets 
into a secured channel 38 directly into network 30 (lines 30- 
43, Col. 3)] and forward the data packets of the second type of a 
virus scanning engine for testing [buffer 24 shunts the packets 
elsewhere, for example, either out of the firewall (e.g., to a 
"bit bucket" such as /dev/null, where they are discarded) or it 
shunts them elsewhere 26 for additional processing. If 
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heuristic stage 36 is not certain as to the validity of the 
packets ("marginal-confidence"), buffer 24 releases the 
packets into complex firewall rule base 14 for processing 
(lines 51-57, Col. 3). If heuristic stage 36 rates packets 22 as 
either good-confidence or marginal-confidence, the packets 
are forwarded to another heuristic stage 44. Heuristic stage 
44 is pre-trained to look for temporal and other anomalies in 
packet streams including, but not limited to, one or more of 
the following: temporal attack signatures, frequency 
analysis, in-transit packet modification, forged-packet 
indicators, out-of-band (OOB) communications, and/or covert 
channel communications (lines 59-67, Col. 39)]. 
Fink et al. and Joyce are analogous art because they are from 
similar technology relating to information security and packet 
scanning. It would have been obvious to one of ordinary skill in 
the art at the time of invention was made to combine the system 
disclosed in Fink et al. with Joyce since one would have been 
motivated to provide methods and apparatus for a heuristic 
firewall that can learn from and adapt to data flowing through 
them to better mitigate such security threats (lines 34-37, Col. 1 
from Joyce). 

Fink and Joyce do not expressly disclose the remaining limitation 
of the claim. However, Baum et al. disclose the limitation 
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regarding classifying the received data packet includes 
determining whether at least one of the data packets includes 
content for a real-time audio or video data stream by teaching 
analyzing the packet is of voice (real-time) data [(lines 41-59, 
Col. 2; lines 61-62, Col. 5; and lines 25-57, Col. 6; lines 20-22, 
Col. 7 from Baum)]; 

Fink et al., Joyce, and Baum et al. are analogous art because 
they are from similar technology relating to information security 
and packet scanning. It would have been obvious to one of 
ordinary skill in the art at the time of invention was made to 
combine the system disclosed in Fink et al. and Joyce with Baum 
et al. since one would have been motivated to provide methods 
and apparatus for a firewall that filter the content of the real-time 
stream in order to provide real time firewall security (lines 11-13, 
Col. 1 Baum etal.). 

As per Claim 49, it is a method claim that corresponds to the 
apparatus claim 1 . Therefore, Claim 49 is rejected for the same 
rationale as of Claim 1. 

As per Claim 50, it is storage medium claim that corresponds to 
the apparatus claim 1 . In addition, Fink et al. disclose a computer 
program stored on a storage medium [The device comprising: 
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(a) a memory for storing at least on instruction (lines 22-23, 
Col. 3). The method of the present invention could be 
described as a series of steps performed by a data 
processor, and as such could optionally be implemented as 
software, hardware, firmware, or a combination thereof (lines 
63-66, Col. 3)]. Therefore, Claim 50 is rejected for the same 
rationale as of Claim 1. 

As per Claim 62, it is an apparatus claim that shares similar 
limitations as of claim 1. In addition, Fink et al. disclose memory 
and processor [The device comprising: (a) a memory for 
storing at least on instruction (lines 22-23, Col. 3). The 
method of the present invention could be described as a 
series of steps performed by a data processor, and as such 
could optionally be implemented as software, hardware, 
firmware, or a combination thereof (lines 63-66, Col. 3)]. 
Therefore, Claim 62 is rejected for the same rationale as of Claim 
1. 

/'/'. Referring to Claims 4 and 58: 

As per Claim 4, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 comprising: 

wherein the classifying comprises determining that data packets 
of the first type contain real time data [(lines 1-5, Abstract and 
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lines 32-39, Col. 3 from Joyce)]. In addition, Baum et al. 
disclose the limitation regarding the real time data other than the 
audio or video data stream [ (lines 55-59, Col. 2 from 

Baum et al.); where the real data is voice data stream]. 

As per Claim 58, the rejection of claim 49 is incorporated. In 
addition, Claim 58 encompasses limitations that are similar to 
those of Claim 4. Therefore, it is rejected with the same rationale 
as of Claim 4. 
//'/'. Referring to Claims 5, 57, 59, and 63: 

As per Claim 5, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 4. Fink et al. and Joyce further disclose 
wherein the classifying comprises determining that data packets 
of the first type as in Claim 1, and Baum further discloses 
classifying (I.e., filtering) the packets which are part of the audio 
or video data stream [(lines 41-59, Col. 2; lines 61-62, Col. 5; 
and lines 25-57, Col. 6 from Baum)]. 

As per Claim 57, the rejection of claim 53 is incorporated. In 
addition, Claim 57 encompasses limitations that are similar to 
those of Claim 5. Therefore, it is rejected with the same rationale 
as of Claim 5. 
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As per Claim 59, the rejection of claim 58 is incorporated. In 
addition, Claim 59 encompasses limitations that are similar to 
those of Claim 5. Therefore, it is rejected with the same rationale 
as of Claim 5. 

As per Claim 63, the rejection of claim 62 is incorporated. In 
addition, Claim 63 encompasses limitations that are similar to 
those of Claim 5. Therefore, it is rejected with the same rationale 
as of Claim 5. 

iv. Referring to Claim 11: 

As per Claim 11, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1, further comprising a buffer configured to 
store the data packets of the second type while the virus scanning 
engine is testing the data packets to detect a virus [(lines 39-65, 
Col. 2 from Joyce)]. 

v. Referring to Claims 32, 56, and 60: 

As per Claim 32, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 , wherein the firewall is configured to receive 
from a packet classification database, information defining the first 
and second types of data packets [(lines 4-7 and lines 38-41, 
Col. 8 from Fink et al.)]. 
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As per Claim 56, the rejection of claim 50 is incorporated. In 
addition, Claim 56 encompasses limitations that are similar to 
those of Claim 32. Therefore, it is rejected with the same 
rationale as of Claim 32. 

As per Claim 60, the rejection of claim 49 is incorporated. In 
addition, Claim 60 encompasses limitations that are similar to 
those of Claim 32. Therefore, it is rejected with the same 
rationale as of Claim 32. 

vi. Referring to Claim 33: 

As per Claim 33, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 32, further comprising: 
a virus scanning engine configured to receive from a virus 
detection database, programming information controlling the 
testing of the data packets of the second type by the virus 
scanning engine [(lines 30-40, Col. 2 from Joyce)]. 

vii. Referring to Claim 34: 

As per Claim 34, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 , further comprising: 

a virus scanning engine configured to receive from a virus 
detection database, programming information controlling the 
testing of the data packets of the second type by the virus 
scanning engine [(lines 30-40, Col. 2 from Joyce)]. 
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viii. Referring to Claim 40: 

As per Claim 40, Fink et al., Joyce, and Baum et al. disclose the 

apparatus of claim 1, further comprising configured to alert the 

destination upon detection of a virus in the data packets [(lines 

61-67, Col. 4 from Joyce)]. 

ix. Referring to Claim 41: 

As per Claim 41, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 wherein the destination is a local area 
network [protected network 12 (Fig. 1 from Fink et al.)]. 

x. Referring to Claim 42: 

As per Claim 42, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 wherein the destination is a personal 
computer [protected node 20 (Fig. 1 from Joyce)]. 

xi. Referring to Claim 43: 

As per Claim 43, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 , wherein the destination is a second network 
[protected network 12 (Fig. 1 from Fink et al.)]. 

xii. Referring to Claim 44: 

As per Claim 44, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1, wherein the first network is a wide area 
network [external network 14 (Fig 1 from Fink et al.)]. 

xiii. Referring to Claim 45: 
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As per Claim 45, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 44, wherein the wide area network is the 
Internet [External network 14 could optionally be the Internet, 
for example (lines 28-29, Col. 5 from Fink et al.)]. 

xiv. Referring to Claim 46: 

As per Claim 46, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1, wherein the destination comprises an 
Internet service provider configured to connect coupled to a 
gateway, 

a modem configured to connect to the Internet service provider, 
and one of a local area or personal computer configured to 
connect to the modem [(Fig. 1 from Fink et al.) and (lines 50-55, 
Col. 4 from Joyce)]. 

xv. Referring to Claim 47: 

As per Claim 47, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1, further comprising a virus scanning engine 
configured to decode the data packets during the testing of the 
data packets [(lines 69-67, Col. 3 from Joyce) and (lines 4-11, 
Col. 7 from Fink et al.)]. 

xvi. Referring to Claim 48: 

As per Claim 48, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 47, wherein the virus scanning engine is 
configured to function functions as a proxy for a destination 
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processor configured to receive which receives the data packets 
[(Fig. 1 from Fink et al.) and (lines 50-55, Col. 4 from Joyce)]. 

xvii. Referring to Claim 53: 

As per Claim 53, Fink et al., Joyce, and Baum et al. disclose the 
method of claim 49. In addition, Baum et al. disclose wherein the 
classifying comprises that the data packets of the first type 
include the content for the real-time audio or video data stream 
[(lines 41-59, Col. 2; lines 61-62, Col. 5; and lines 25-57, Col. 6 
from Baum et al.)]. 

xviii. Referring to Claim 61: 

As per Claim 61, Fink et al., Joyce, and Baum et al. disclose the 
method of claim 49, wherein the classifying is performed by a 
firewall [(lines 6-8, Col. 5; lines 65-67, Col. 6; lines 4-7, Col. 8 
from Fink et al.)]. 
xix. Referring to Claim 65: 

As per Claim 65, Fink et al., Joyce, and Baum et al. disclose a 
computer program in accordance with claim 49, wherein the 
classification is performed by a firewall [(lines 30-40, Col. 2 and 
lines 32-58, Col. 3 from Joyce)]. 

9. Claims 6 and 54 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Fink et al. (U.S. Patent 6,496,935), Joyce (U.S. Patent 
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6,519,703), and Baum et al. (U.S. Patent 6,400,707) and further in view of 

Lyle (U.S. Patent 6,886,012). 
/'. Referring to Claims 6 and 54: 

As per Claim 6, Fink et al., Joyce, and Baum et al. disclose the 
apparatus of claim 1 . Fink et al., Joyce, and Baum et al. disclose 
the firewall as in Claim 1 . Fink et al., Joyce, and Baum et al. do 
not expressly disclose the remaining limitations of the claim. 
However, Lyle discloses stop reception of a data stream 
containing the data packets in response to an alert from the virus 
scanning engine [(lines 28-34, Col. 14 from Lyle)]. 
Fink et al., Joyce, Baum et al., and Lyle are analogous art 
because they are from similar technology relating to Internet 
security regarding to data communications. It would have been 
obvious to one of ordinary skill in the art at the time of invention 
was made to modify Fink et al., Joyce, and Baum et al. with Lyle 
to have the various components in the gateway communicating 
with an alert message if the malicious code is detected, and to 
stop the data flow into the protected network in such a scenario 
since one would be motivated to have a way to share information 
about an attack, dynamically and without human intervention 
(lines 20-22, Col. 2 from Lyle). 
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As per Claim 54, the rejection of claim 50 is incorporated. In 
addition, Claim 54 encompasses limitations that are similar to 
those of Claim 6. Therefore, it is rejected with the same rationale 
as of Claim 6. 


Note: Examiner has pointed out particular references contained 
in the prior arts of record and in the body of this action for the 
convenience of the applicant. Although the specified citations are 
representative of the teachings in the art and are applied to the 
specific limitations within the individual claim, other passages and 
figures may apply as well. Applicant should consider the entire 
prior art as applicable to the limitations of the claims. It is 
respectfully requested from the applicant, in preparing for 
response, to consider fully the entire reference as potentially 
teaching all or part of the claimed invention, as well as the context 
of the passage as taught by the prior arts or disclosed by the 
Examiner. 


Conclusion 

10. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first 
reply is filed within TWO MONTHS of the mailing date of this final action 
and the advisory action is not mailed until after the end of the THREE- 
MONTH shortened statutory period, then the shortened statutory period 
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will expire on the date the advisory action is mailed, and any extension fee 
pursuant to 37 CFR 1 .1 36(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply 
expire later than SIX MONTHS from the date of this final action. 

a. Tighe et al. (U.S. Patent. 7,069,432) disclose a method is provided 
for establishing a telephone call between a trusted Internet Protocol 
(IP) telephone and an untrusted device. The method includes 
receiving a call initiation request from the untrusted device that 
indicates a desired communication with the trusted IP telephone. 
The method evaluates the call initiation request, and establishes a 
telecommunication link between the untrusted device and the 
trusted IP telephone in response to a positive evaluation of the call 
initiation request. 

1 1 .Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Yin-Chen Shaw, whose telephone 
number is (571) 272-8593. The examiner can normally be reached on 
Monday-Friday from 9:30 AM - 6:30 PM Eastern Time. 
If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Edan Orgad can be reached on 571-272-7884. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 22313-1450 
Or faxed to: 
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(571)273-3800 

Any inquiry of a general nature or relating to the status of this application 
or proceeding should be directed to the receptionist whose telephone 
number is (571)272-2100. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either Private 
PAIR or Public PAIR. Status information for unpublished applications is 
available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 

YCS 

May. 04, 2010 


/Edan Orgad/ 

Supervisory Patent Examiner, Art Unit 2439 


